A nation-state attack on the SolarWinds network management system in December 2020 compromised the supply chains of over 18,000 organizations, including the Pentagon and the Department of Homeland Security. As these supply chain security attacks continue, there is an increased focus on securing the supply chain. Organizations are seeking to understand their risk exposures from third parties and products they acquire and use. For products, security certifications can be useful to demonstrate security functionality as well as to assure security efficacy.

Zero Trust is a collection of security methodologies that work together to enforce access, with the view that your network has already been compromised, and using contextual information from identity, security, and IT infrastructure, along with risk and analytics tools, to enable dynamic enforcement of security policies uniformly across the corporate network. This session will highlight the main attributes of Zero Trust, and why it is important for storage developers.

The Storage Work Group under the Trusted Computing Group is active in security technologies related to data storage and focuses on data at rest encryption mechanisms. Over the course of 2022 and 2023, TCG SWG has been very active and has released many new specifications and reference documents. This talk will cover various documents released and gives a preview of some of the work underway. Somethings we will cover are SIIS updates, CNL, Test case documents. KPIO and app note for KPIO.

DMTF has released SPDM version 1.3, with a number of enhancements to the protocol. These include: - Support for multiple keys - Event notification - Improvements in measurement handling - A hash-extended measurement mechanism - Endpoint identification - Even more support for extensibility by industry partners Status of libspdm, an open source implementation of the SPDM protocol on github. These changes enable new capabilities to be built on top of SPDM to enable a variety of solutions. Work on SPDM v1.4 is already underway.

2023 has been an interesting and challenging year for storage security. The cyber threat landscape has witnessed large numbers of attacks impacting data and increased nation state activities directed at critical infrastructure. The regulatory landscape is undergoing change as well and potentially imposing requirements that necessitate adjustments to security capabilities, controls, and practices to reflect new realities. By the end of 2023 there will be significant changes to security standards and specifications relevant to storage.

The Key Per IO (KPIO) project was a joint initiative between NVM Express® and the Trusted Computing Group (TCG) Storage Work Group to define a new KPIO Security Subsystem Class (SSC) under TCG Opal SSC for NVMe® class of Storage Devices. Self-Encrypting Drives (SED) perform continuous encryption on user accessible data based on contiguous LBA ranges per namespace. This is done at interface speeds using a small number of keys generated/held in persistent media by the storage device. KPIO allows a large number of encryption keys to be managed and securely downloaded into the NVM subsystem.

The IEEE Security In Storage Work Group (SISWG) produces standards that many storage developers, storage vendors, and storage system operators care about, including: a) A family of standards on sanitization: the IEEE 2883 family b) A family of standards on encryption methods for storage components: the IEEE 1619 family c) A standard on Discovery, Authentication, and Authentication in Host Attachments of Storage Devices: the IEEE 1667 specification IEEE has a different work group (IEEE P3172) focusing on post-quantum cryptography, but when they are done, a family method that recommends new q

Data immutability and retention locking have gained enormous traction over the last many years owing to a severe surge in number of cyber and ransomware attacks. This presentation covers many aspects of data immutability and retention locking/WORM in the backup ecosystem. It talks about regulatory requirements for long term data retention, variants of retention locking, dual authorization model and role of security officer, various attributes of retention locking, integration of backup applications with retention locking, retention locking in replication and cloud storage.

Operators of data storage systems are legally obligated to protect customer data, and can be subject to significant penalties. This presentation will explore existing and upcoming standards to show the best practices for sanitizing customer data. These standards will include IEEE 2883-2022 and ISO/IEC 27040,and will describe current work on new standards.

The audience for this presentation includes developers and users of data storage systems, as well as developers of software utilizing those systems.

Selling to the US Government can require getting FIPS (Federal Information Processing Standards) certification.Many storage products are based on Linux and Open Source code, which by themselves do not promise compliance with any standards. Sometimes the storage protocols themselves are incompatible with the required FIPS-140 standards. Sometimes the Open Source code is old enough that they still hand-craft their own crypto code dating from a time when the US Government tried to restrict some crypto algorithms).